Introduction & Scope
BubbleNote ("we", "us", "our") operates as both a data controller for information related to your account, and as a data processor for feedback data collected on behalf of our customers through the widget.
This Privacy Policy applies to information we collect when you use the BubbleNote website, dashboard, and embedded feedback widget. It does not cover third-party websites linked from our Service.
Two roles, one product: When you sign up for BubbleNote, we are the controller of your account data. When your website visitors submit feedback through the widget you embed, we process that data on your behalf — making you the data controller and us the processor.
Information We Collect
Account & Registration Data
Name, email address, password (hashed), billing information, and team/organization details. Collected when you register or update your profile.
Feedback & Widget Data
Collected on behalf of our customers when end users submit feedback through the embedded widget:
- Feedback message text and email (if provided by the user)
- Full-page screenshot and annotated region
- Browser, OS, device type, screen resolution, and viewport size
- Page URL and approximate geographic location (country/region)
Customers are responsible for ensuring they have the legal right to collect any data submitted through the widget, and for providing appropriate notice and obtaining any required consent on their own websites. We recommend that you configure the widget to avoid capturing sensitive personal data — such as passwords, financial information, or confidential records. We are not responsible for sensitive information that is voluntarily or inadvertently included in submissions.
Usage & Technical Data
Log data including IP addresses, browser type, pages visited within the dashboard, time spent, and errors encountered. Used to operate and improve the Service.
How We Use Your Data
We use the information we collect for the following purposes:
Providing the Service
Storing, processing, and displaying feedback data to you and your team members.
Billing & Payments
Processing subscription payments and sending invoices.
Notifications & Communication
Sending feedback notifications, product updates, and important service announcements.
Service Improvement
Analyzing aggregated, anonymized usage patterns to improve features and performance.
Security & Fraud Prevention
Detecting and preventing abuse, unauthorized access, and other harmful activity.
Legal Compliance
Meeting our legal obligations under applicable data protection and privacy laws.
Legal Basis for Processing
Where applicable under data protection laws such as the GDPR, we rely on the following legal bases:
Processing is necessary to provide and maintain the Service you have signed up for.
To improve, secure, and analyze the performance of our Service, where not overridden by your rights.
Where required, such as for optional analytics cookies or certain communications.
Where processing is necessary to comply with applicable laws and regulations.
When acting as a data processor for your feedback widget, we process end-user data strictly in accordance with your instructions as the customer. You, as the data controller, are responsible for establishing a valid lawful basis (such as consent or legitimate interest) for collecting data from your own users.
We do not sell your personal data to third parties or use it for advertising purposes.
Sharing & Third Parties
We do not sell, trade, or rent your personal information. We may share data only in the following circumstances:
Service Providers
We use vetted third-party services for infrastructure (hosting, databases), payments (Stripe), email delivery, and analytics. These processors are bound by data processing agreements and may only use your data to perform services on our behalf.
Legal Requirements
We may disclose data if required by law, court order, or a government authority. We will notify you where legally permitted.
Business Transfers
In the event of a merger, acquisition, or sale of assets, your data may be transferred. We will provide notice and options before your data becomes subject to a different privacy policy.
Subprocessors
We engage trusted third-party service providers to support the delivery of our Service, including hosting providers, payment processors, email delivery services, and analytics tools. These providers are contractually bound to process personal data only on our behalf and in accordance with applicable data protection laws.
Data Processing Agreement (DPA)
For customers who require it under applicable data protection laws, we offer a Data Processing Agreement (DPA) governing our processing of personal data on your behalf. You may request a copy by contacting us at [email protected].
Data Retention
We retain your personal data for as long as your account is active and for a reasonable period thereafter to comply with our legal obligations, resolve disputes, and enforce agreements.
Feedback data associated with your projects is retained for the duration of your subscription. You are responsible for exporting your data before deleting your account. Upon deletion, your data will be permanently removed from our active systems.
Anonymized, aggregated data may be retained indefinitely as it can no longer be used to identify you.
Security Measures
We implement industry-standard technical and organizational measures to protect your data against unauthorized access, alteration, disclosure, or destruction.
No method of transmission over the internet or electronic storage is 100% secure. While we strive to use commercially acceptable means to protect your data, we cannot guarantee absolute security.
In the event of a data breach affecting your personal data, we will notify affected users and relevant authorities as required by applicable law.
Your Privacy Rights
Depending on your location, you may have the following rights regarding your personal data:
Request a copy of the personal data we hold about you.
Request correction of inaccurate or incomplete data.
Request deletion of your data ("right to be forgotten").
Request your data in a structured, machine-readable format.
Request that we restrict how we process your data in certain circumstances.
Object to processing based on legitimate interests or direct marketing.
California residents may opt out of the "sale" of personal information (we do not sell data).
To exercise any of these rights, email us at [email protected]. We will respond within 30 days. In some cases, we may need to verify your identity before processing the request.
Children's Privacy
The Service is not directed to children under the age of 13 (or higher where required by applicable law). We do not knowingly collect personal information from children. If you are a parent or guardian and believe your child has provided us with personal information, please contact us immediately at [email protected].
If we discover we have inadvertently collected personal information from a child under 16, we will delete it promptly.
International Data Transfers
BubbleNote operates from servers located in various regions, including the United States. If you are accessing the Service from outside those regions, your data may be transferred to and stored in locations — including the United States — that may have different data protection laws than your jurisdiction.
Where we transfer personal data from the European Economic Area (EEA), UK, or Switzerland to third countries, we rely on appropriate safeguards such as Standard Contractual Clauses (SCCs) or adequacy decisions to ensure your data remains protected.
Policy Changes
We may update this Privacy Policy from time to time. When we make changes, we will update the "Last updated" date at the top of this page. We encourage you to review this page periodically to stay informed.
Contact Us
If you have any questions about this Privacy Policy or our data practices, please reach out — we're happy to help.
We welcome responsible disclosure of security vulnerabilities. If you believe you have discovered a security issue, please contact us at [email protected] before any public disclosure.